Email messages are sent unencrypted when PGP Encryption Desktop PGP Tray is not running
search cancel

Email messages are sent unencrypted when PGP Encryption Desktop PGP Tray is not running

book

Article ID: 172697

calendar_today

Updated On:

Products

Desktop Email Encryption Encryption Management Server

Issue/Introduction

By default, PGP Encryption Desktop 10.4.1 MP1 and above will block email messages from being sent if PGP Tray is not running. 

However, on systems with UEFI Secure Boot enabled running Encryption Desktop 10.4.2 MP1 and below, messages will not be blocked and this can result in messages that should be encrypted being sent unencrypted.

Note that in releases prior to 10.4.1 MP1 on systems without Secure Boot enabled, mail can be blocked if PGP Tray is not running by doing the following in the Encryption Management Server management console:

  1. Click on Consumers / Consumer Policy.
  2. Click on the name of the policy to edit.
  3. Click on the Edit button in the General section.
  4. Click on the Edit Preferences button.
  5. Add the following setting and click the Save button:
  • Pref Name: blockMailIfInitFailed
  • Type: Boolean
  • Value: True
Note that by default, messages will be encrypted if they meet any one of these criteria:
  1. The user has clicked on the Encrypt button in Outlook.
  2. The message has [pgp] in the message Subject. Note that the pgp text is not case sensitive.
  3. The message is classified as Confidential.
  4. The message is classified as Private.

 

 

Environment

  • Windows running UEFI Secure Boot.
  • Symantec Encryption Desktop 10.3 and above with the blockMailIfInitFailed policy enabled. Note that this policy is enabled by default in Encryption Desktop 10.4.1 MP1 and above.

Cause

The blockMailIfInitFailed policy is dependent on the Windows AppInit_DLLs infrastructure. Secure Boot disables this mechanism.

Resolution

Symantec Encryption Desktop 10.5 MP1 has the best performance related to this issue.  Some fixes were included  were included in Symantec Encryption Desktop 10.4.2 MP2, but Symantec recommends upgrading to 10.5 MP1 for best results. 

In release 10.4.2 MP2 and above, the blockMailIfInitFailed policy is no longer dependent on the Windows AppInit_DLLs infrastructure.

 

Important Note: See article 190223 for more scenarios related to the PGP plugin and messaging service where mail may not be encrypting properly.

Additional Information

190223 - The PGP plugin failed to initialize with Symantec Encryption Desktop and Outlook

225360 - PGP Message Blocked when sending email in Outlook

248101 - PGP Offline Policy: Messages Blocked in Outlook if the PGP Client cannot reach the PGP Server

 

Etrack: 4201984, 4266384